What Is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
and its implementing regulations, commonly known as the HIPAA Privacy Rule
and the HIPAA Security Rule, protect the privacy and security of individually
identifiable health information, called “protected health information” or “PHI.”
Such information is held by health plans, health care clearinghouses, and most health
care providers, collectively known as “covered entities,” and their business associates
(entities that have access to individuals’ health information to perform work on
behalf of a covered entity).
The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information,
establishes national standards to protect the privacy of individuals’ identifiable
health information. In doing so, the Privacy Rule sets forth the circumstances under
which covered entities and their business associates may use or disclose an individual’s
health information, requires safeguards to protect the information, and gives individuals
rights, including rights to examine and obtain a copy of their health records and
to request corrections.
A major goal of the Privacy Rule is to ensure that individuals’ health information
is properly protected while allowing the flow of health information needed to provide
and promote high-quality health care, and to protect the public's health and well-being.
Given that the health care marketplace is diverse, the Privacy Rule is designed
to be flexible and comprehensive to cover the variety of uses and disclosures that
need to be addressed.
The Security Rule, or Security Standards for the Protection of Electronic Protected
Health Information, establishes a national set of security standards for
protecting health information that is held or transferred in electronic form. The
Security Rule sets out the technical, administrative, and physical safeguards that
covered entities and business associates must put in place to secure individuals’
electronic health information. The Security Rule is designed to be flexible and
scalable, and technology neutral, so a covered entity or business associate can
implement policies, procedures, and technologies that are appropriate for the entity’s
particular size, organizational structure, and risks to consumers’ electronic health
information. The U.S. Department of Health and Human Services Office for Civil Rights
has responsibility for administering and enforcing the Privacy and Security Rules.
How Does HIPAA Apply in Institutions of Higher Education?
Basic Principle. A major purpose of the Privacy Rule is to define
and limit the circumstances in which an individual’s protected heath information
may be used or disclosed by covered entities. A covered entity may not use or disclose
protected health information, except either: (1) as the Privacy Rule permits or
requires; or (2) as the individual who is the subject of the information (or the
individual’s personal representative) authorizes in writing.
Generally, HIPAA does not apply to health information in student records
maintained by an IHE. While IHEs may maintain student health records, these records
are in most cases not protected by HIPAA. Rather, student health information
maintained at an IHE would be considered education or treatment records protected
HIPAA may apply, however, to patient records at a university hospital,
which may include records on students and non-students, or to the health records
of non-students at a university health clinic.
During the emergency planning process, if you believe health information to which
access may be needed is covered by HIPAA, you should consult the guidance
and resources section for further information about how HIPAA applies.
HIPAA Guidance and Resources
The Office for Civil Rights has developed, and continues to develop, extensive guidance
pertaining to the implementation of HIPAA Privacy Rule and emergency situations.
The Office for Civil Rights website has guidance about the intersection between
HIPAA and FERPA, and the release of PHI for common emergency preparedness
issues and public health purposes, such as terrorism preparedness and outbreak investigations.
For more detailed information or additional guidance, please see the Office for
Civil Rights website at